AppSec Europe 2006/Training

Conference Training Day - One Day Training Course - May 29th, 2006

OWASP has arranged to have two one day Web Application Security training courses the day prior to the conference.

The first course will be provided by a long time contributor to OWASP, Aspect Security. The second course will be provided by another active OWASP member, the Arctec Group. These courses are being offered to attendees of the OWASP conference at a large discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

T1

Foundations of Web Application Security - One Day Course - May 29th, 2006

T2

Web Services and XML Security - One Day Course - May 29th, 2006

*Note: Information corresponding to each training course is located below.

Pricing

Each course is 600 Euros for attendees of the OWASP conference.

Location

Training room at KU Leuven in College De Valk. T1 will be held in room DV3 01.08 and T2 will be in room DV3 01.10.

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

Unvalidated Parameters *

Broken Access Control *

Broken Account and Session Management *

Cross-Site Scripting (XSS) Flaws *

Buffer Overflows *

Command Injection Flaws *

Error Handling Problems *

Insecure Use of Cryptography *

Denial of Service *

Web and Application Server Misconfiguration *

Poor Logging Practices

Caching, Pooling, and Reuse Errors

Code Quality

* The OWASP Top Ten Most Critical Web Application Vulnerabilities

Additional details on these are available at Aspect's Common Web Application Vulnerability Areas page.

For each area, the course covers the following:

Theoretical foundations

Recommended security policies

Common pitfalls when implementing

Details on historical exploits

Best practices for implementation

Class begins at 8 AM and runs until 5 PM.

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Note: OWASP will not be able to supply laptops for students to use for these exercises. If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.